Symantec Legacy Decomposer CAB File Issues

SUMMARY

Symantec’s legacy Decomposer engine fails to proper handle bounds checking when parsing files from some versions of CAB archives. This could result in the probability of an application crash in the majority of cases. A successfully crafted malicious CAB file could potentially result in arbitrary code execution on the targeted system.

AFFECTED PRODUCTS

Product

|

Version

|

Build

|

Solution

—|—|—|—

Symantec Endpoint Protection

|

11.0

|

All

|

Run LiveUpdate, implement the mitigations indicated below or, Upgrade to SEP 12.1

Symantec Endpoint Protection Small Business Edition

|

12.0

|

All

|

Run LiveUpdate, implement the mitigations indicated below or, Upgrade to SEP 12.1

Symantec Endpoint Protection Small Business Edition 2013

|

This issue has been resolved for SEP SBE 2013 cloud-managed customers (formerly Symantec Endpoint Protection.cloud).

|

All

|

Any customer with an existing redistributable package which includes an agent to protect Windows Servers or Windows XP 64-bit machines needs to re-create this package.

Symantec AntiVirus Corporate Edition (SAVCE)

|

10.x

|

All

|

SAVCE 10.x is EOL Customers still on SAVCE should implement the mitigations indicated below or,Upgrade to SEP 12.1

Symantec Scan Engine (SSE)

|

5.2.7.x and prior (EOL)

|

All

|

SSE 5.2.8 or later. Symantec Protection Engine for Cloud Services 7.0.x

NOTE: The products and versions reflected above are impacted by this issue. SSE 5.2.7.x and prior are End of Life. SAVCE 10.x is End of Life.

NONE of our other currently supported products are affected.

ISSUES

Decomposer Engine insufficient bounds checking on cab files - High

---

CVSS2

Base Score

|

Impact

|

Exploitability

|

CVSS2 Vector

9.33

|

10

|

8.58

|

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVE

|

BID

|

Description

—|—|—

CVE-2012-4953

|

BID 56399

|

Symantec Legacy Decomposer CAB File Issues

MITIGATION

Details

CERT notified Symantec of a potential vulnerability issue related to improper checks during extraction of content from some types of CAB files. Legacy versions of the Symantec decomposer fail to perform proper bounds checks in some specifically formatted files when parsing content to be scanned from the CAB archive. This could result in a denial of service crash of the Symantec Endpoint Protection application. While not fully verified, if successfully developed and targeted, malicious content of such a CAB file could potentially result in the possibility of arbitrary remote code being executed with application privileges on the clients.

Successful targeting of this nature would require the attacker to be able to get their maliciously formatted archive past established email security policies to be processed on a system. This may lessen the success of any potential attempts of this nature though it does not reduce the severity if targeting is successful…

Symantec Response

Symantec engineers verified that legacy versions of our Decomposer engines are susceptible to crashing from such a malformed file. While the potential exists, Symantec was unable to verify remote code execution based on this behavior.

The latest version releases of our products run updated versions of the Decomposer engine that are not impacted by CERT’s findings.

Symantec recommends affected customers migrate to the latest version of the SEP product to address threats of this nature.

Symantec is not aware of any customers affected by this issue or any malicious attempts to exploit this issue.

Mitigations

SEP 11.0 or 12.0 SBE clients: Download updated Decomposer engine via Symantec LiveUpdate

Symantec has made an update to the latest non-vulnerable Decomposer engine available for SEP 11.0 and 12.0 SBE clients. This update can be downloaded using the LiveUpdate option in the SEP client, or distributed from the Symantec Endpoint Protection Managers and Group Update Providers.

Symantec has published a document with additional details on the Decomposer update here: <TECH200168>.

Alternative Mitigation Options

For additional details and examples on the mitigation options, please see the following Knowledge Base article:TECH199470 “SYM12-017 Symantec Legacy Decomposer CAB File Issues”.

Symantec AntiVirus 10.x clients are also affected by this vulnerability. SAV 10.x has officially reached end of life status and is no longer supported. However, if you are still using SAV 10.x and wish to mitigate this vulnerability, you may use the manual mitigation options listed below or upgrade to a current version of Symantec Endpoint Protection

Option 1: Apply the Symantec Decomposer Update Tool

Symantec has released an Update Tool, SYM12_017_Fixtool.exe, to update Symantec Endpoint Protection 11.0.5 to 11.0.7 MP3 clients to the latest decomposer engine.

Any SEP 11.0 releases prior to RU5 are not supported by the SYM12_017_Fixtool.exe tool. SEP 12.0 is also not supported by this tool.

To download and review the functionality and usage of the Decomposer Update Tool, please review the following Knowledge Base article: TECH199470 “SYM12-017 Symantec Legacy Decomposer CAB File Issues”.

Option 2: Disable CAB file scanning

To mitigate this vulnerability, users may disable CAB file scanning until a more permanent fix is available or user has moved to the current SEP 12.1 release.

Note: This change will only disable the decomposer engine from scanning inside a compressed CAB file during a manual or scheduled scan. During extraction of the CAB file, the AutoProtect engine or a scheduled/manual scan will scan and remediate any threats detected.

To disable CAB scanning:

1. In Windows Explorer, open the Symantec Endpoint Protection installation folder. The location of this folder varies by product and operating system. The default installation directory for SEP 11.x is C:\Program Files\Symantec\Symantec Endpoint Protection\

2. Make a backup copy of the file Dec3.cfg, e.g., Dec3_backup.cfg

3. In an ASCII text editor such as Notepad, open the file Dec3.cfg

4. The fifth line of the file contains a number that corresponds to the number of .dll files listed below it. Verify that this is the case

5. Reduce the number in the fifth line by 1

6. Find the following line:
   Dec2CAB.dll

7. Remove the Dec2CAB.dll line and the line that immediately follows.

8. Close and save the Dec3.cfg file

9. Restart the Symantec Endpoint Protection service

If desired, an administrator can deploy the fix via a third party deployment tool. One method would be for the fix to be scripted by copying the Dec3.cfg file from a manually repaired machine and deploying it to other endpoints. However, older versions Dec3.cfg file do differ slightly. Please Note: To ensure compatibility with the scripted Dec3.cfg file, any client using SEP 11.0 RTM through SEP 11.0 MR4 MP2 should only use a scripted Dec3.cfg file from a SEP11.0 RTM through SEP 11.0 MR4 MP2 client. Clients running SEP 11.0 RU5 and above will require a scripted Dec3.cfg file from a SEP 11.0 RU5 or above client.

Option 3: Disable compressed file scanning

As an alternative, mitigation option, customers may centrally disable compressed file scanning from their manual and e-mail tool scanning. This will disable scanning all compressed files, not simply .cab files. For instructions, please reference the following knowledge base artcle:http://www.symantec.com/docs/TECH199543The setting for disabling compressed file scanning will need to be changed in all administrator and active scans, as well as the Exchange and Lotus Notes e-mail client tools.

However, these files, when uncompressed, will continue to be scanned by AutoProtect or during manual scans. The setting for disabling compressed file scanning will need to be changed in all administrator and active scans, as well as the Exchange and Lotus Notes e-mail client tools.

Note: A system remains in a vulnerable state as long as .cab file scanning is enabled. This workaround simply lowers the risk while still providing real time protection via the AutoProtect engine in SEP. With this configuration in place the .cab file decomposer engine will only be utilized if a user right-clicks and scans on a .cab file or if a user-created scan on the machine does not include the “disable compressed file scanning” solution.

Please Note: Archive files, when uncompressed, will continue to be scanned by AutoProtect or during manual/scheduled scans. While using this configuration setting, , when/if a user downloads a compressed file (such as a .cab or .zip), to the system, the compressed file will not be scanned on the next scheduled administrator scan. However, if the user attempts to extract the file for use, AutoProtect will scan the files prior to launch and convict any infected files.

Best Practices
Symantec gateway and groupware products detect malformed archive/container files such as these by default. Administrative policy controls exist in Symantec gateway/groupware products for these types of malformed files to be blocked or stripped prior to entering the network or quarantined for administrative review and actions. Symantec recommends such policy controls be used as part of any email security policy to restrict potentially harmful content.

• Restrict access to administration or management systems to privileged users.
• Restrict remote access, if required, to trusted/authorized systems only.
• Run under the principle of least privilege where possible to limit the impact of exploit by threats.
• Keep all operating systems and applications updated with the latest vendor patches.
• Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
• Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities

ACKNOWLEDGEMENTS

Symantec credits Will Dormann with CERT/CC for reporting this issue.

REFERENCES

US-CERT Vulnerability Note VU#985625

BID: Security Focus, http://www.securityfocus.com, has assigned Bugtraq IDs (BIDs) to these issues for inclusion in the Security Focus vulnerability database.

CVE: These issues are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.